The entire header configuration (not individual errors) is analyzed for the Web Application Headers risk vector. Refer to the following configuration requirements.
- Requirements for GOOD grade: No misconfigured headers (required or optional) are present.
- Requirements for FAIR grade: No more than 50% distinct misconfigured headers can be present (required and optional)
For HTTP connections, no headers are graded unless Set-Cookie is defined. The finding grade defaults to NEUTRAL.
See all assessed headers or how the Web Application Headers risk vector is assessed.
The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.
Header Requirements for Transfer Protocols
| Header | HTTP 1.0 | HTTP 1.0 (HTTPS) | HTTP 1.1 | HTTP 1.1 (HTTPS) |
|---|---|---|---|---|
| Access-Control-Allow-Origin | Optional | |||
| Cache-Control | Optional | Required | ||
| Content-Security-Policy | Required | |||
| Expires | Required | Optional | ||
| HTTP Strict-Transport-Security | Optional | Required | Optional | Required |
| Location | Optional | |||
| Set-Cookie | Optional | |||
| WWW-Authenticate | Optional | |||
| X-Content-Type-Options | Required | |||
| X-Frame-Options (Frame-Options) | Required | |||
| X-XSS-Protection | Optional | |||
HTTP Downgrade
The following errors downgrade the response from HTTPS to HTTP:
-
200responses -
30Xresponses -
401responses
See HTTP downgrade finding messages.
HTTP 1.1 (HTTPS)
| Response | Description |
|---|---|
200 |
We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. |
30x (301, 302, 307) |
Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. |
HTTP 1.0 (HTTPS)
| Response | Description |
|---|---|
200 |
We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. |
30x (302, 307) |
Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. |
- October 14, 2025: WAH non-graded.
- August 16, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.